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Introduction 


¢ Problem 


— Call sign “spoofing” is trivial within AX.25 packet radio networks. 


¢ Configure a computer to place a bogus FCC call sign in all AX.25 


packets transmitted. 


— Itis often difficult for the recipient of a message to determine whether 


the message has been “spoofed”. 
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Introduction 


¢ In 2004, Paul Toth (NA4AR) and the ARRL High-Speed 
Multimedia & Network Workgroup published a report title 
“Security & Data Integrity on a Modern Amateur Radio 
Network” that requested ... 


“... the support of the ARRL Board of Directors for development 
and filing of a ‘Notice of Proposed Rulemaking’ permitting the 
use of encryption and strong security protocols on domestic 


transmissions above 50 MHz”. 
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Introduction 
¢ The authors’ claimed that ... 


“... licensees in the Amateur Radio Service need to be free to 
utilize ... industry-standard security and authentication tools to 


protect the integrity of their stations”. 
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Introduction 


¢ FCC Part 97.113 rule 


“(a) No amateur station shall transmit ... (4) ... ; messages 
encoded for the purpose of obscuring their meaning, except as 


otherwise provide herein;” 
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Introduction 


* Encryption is ... 


— A process by which the bits of a message are modified (i.e. 
scrambled) such a way that only the intended recipient can extract 


information. 


¢ An individual that intercepts a copy of an encrypted 


message will not be able to extract information. 
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Introduction 


¢ Authentication refers to the ability of an individual or station 
to determine whether ... 
1. The sender of a received message is who they assert they are. 


2. The message received is what was transmitted. 


* [can authenticate a message without encrypting it. 
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Introduction 


¢ Solution 
— Use authentication software! 


— The message recipient is now able to determine whether ... 
« The message was actually transmitted by the source. 


¢ The received message was the one actually transmitted. 
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Introduction 


¢ The research presented here, and discussed in the paper, 
explores the use of the following authentication software 


when transmitting messages. 
— Gnu Privacy Guard (GPG) 
— Secure Socket Layer and Transport Layer Security (SSL/TLS) 


— Internet Protocol Security (IPsec) 
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Introduction 


¢ Specifically, we compare the time required to transmit 
messages over a 2-meter AX.25 packet radio network using 
“no authentication”, GPG, SSL/TLS, and IPsec. 
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Introduction 


¢ | will discuss the following topics during this presentation. 
. Materials 
. Methods 
. Results 
. Conclusions 


. Future Research? 
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Materials 


145.010 MHz 


{weet | 


=} 
Tx/Rx Tx/Rx =» 


PC m— INC TNC PC 
derld1.derl.ulm.edu (44.128.2.111) derld0.dcrl.ulm.edu (44.128.2.110) 


Figure 1: The logical hardware configuration of our AX.25 packet radio stations derldO and decrid1. 
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Materials 


* Software Requirements 


1. We wanted to investigate how application layer, transport layer, 
and network layer authentication software influence data 


transmissions over AX.25 packet radio networks. 


We required the use of data transmission server software 
(e.g. FTP server or web server) that would allow us to evaluate 


each authentication software independently. 
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Materials 


¢ Software Requirements Continued 


3. We required the use of command line oriented client software that 
would allow us to retrieve data from the data transmission server 


software we chose to use. 


We required the use of network protocol analyzer software to 


inspect every packet transmitted between the client and server. 


We required open source software that could be installed on the 
Fedora Linux operating system. 
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Materials 


Table 1: Specific software used to conduct our research. 


Software Associated Website or RFC 
Apache Web Server http://www.apache.org/ 
cURL http://curl.haxx.se/ 


http://www.kernel.org/doc/man- 
pages/online/pages/mant1/time.1.html 


Wireshark http://www.wireshark.org/ 
Gnu Privacy Guard http://www.gnupg.org/ 
Secure Socket Layer/Transport Layer 
Security 


Internet Protocol Security http://datatracker.ietf.org/doc/rfc4301/ 


UNIX time command 


http://datatracker.ietf.org/doc/rfc5246/ 
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Materials 


Application Layer 


Transport Layer TCP & SSL/TLS 


Network Layer IP 


Data Link Layer AX.25 


Physical Layer 145.010 MHz 


Figure 2: An “authentication enabled” generic data communication protocol stack. 
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Materials 


* Three text files 
— text4KB.txt, text8KB.txt, and text1 6KB.txt 


— Comprised of text data. E.g. “01234567890123 ...” 
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Methods 


* Alice installs and configures a standard Apache web server 
on dcrld1. 


— She places the three text files within the Apache web server’s home 


directory. 


* Bob installs and configures Wireshark on derldO. 


— He starts Wireshark before each file transmission. 
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No (i.e. “None”’) Authentication 
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No (i.e. “None”) Authentication 


* Bob uses the cURL client on dcridO to retrieve each of the 
three text files on dcrld1 twenty times. 


= jem Cube lisesg //clewilclil os. wllim.ecl/cescjans exe > 


/tmp/text#KB.txt 
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No (i.e. “None”) Authentication 


¢ Bob records transmission times in a Microsoft Excel 


spreadsheet. 


* Bob computes the average transmission time for each text 


file. 
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GPG Authentication 


September 24, 2010 2010 TAPR/ARRL Digital Communication Conference Slide 26 of 50 


13 


wLm, Digital Communication Research Laboratory 


GPG Authentication 


Alice and Bob install and configure GPG on both derld1 and 


dcrldO respectively. 

They create GPG public and private keys. 

They exchange their GPG public keys in a secure manner. 
They add the others GPG public key to their key ring. 
They GPG sign the others GPG public key with their GPG 


private key. 
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GPG Authentication 


* Alice GPG clearsigns the three text files and places the 
GPG clearsigned versions within the Apache web server’s 


home directory. 
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0123456 7890123456 7890123456 789012345678901234567890 ... 
0123456 7890123456 7890123456 789012345678901234567890 ... Unencrypted 


Data 


012345678901234567890123456789012345678901234567890 ... 
012345678901234567890123456789012345678901234567890 ... 

: GnuPG v1.4.7 (GNU/Linux) 
iQIVAWUBS2pEdvTJW917crFSAQJePw//YG9 7nwpNKXSINPgpZQb1gq3/ualwD1lrN2 
Ss9fPkKV78SRtXUBZNF6GVE07B3K2t1AF7K8YKU3 8c9v1TE9 5UgAE 4UBagM5n4Hal 
SWEFEbO4TAw4/6tuwVgNZxSIb7jvAPo1RXA jJgHNSHEi6Fus/mjs/rsU8E4atbuZ 
HufYrDoolFSu8rDDZ8sFvdATqlwghPvQJwCfOn+CkLpKFg32A+mATcm1Z8gfPo2h 
HI+cig8vxaztcjOEC42Scq/erm8 0Hde5u4+0MUp1D6UuhGPRpTXw82+GHE7W3Rz2L 
jzFTvWwbpsFiY79wvZN7DcbJs/gRDMtpSakm5q 7MmVB121ixifXfIZXLR6cGX/6/ GPG 
HZ46X1n0/7060183yWC91XP0CUqbaJs 9BrVYDNAPWbK2vhh2F 2k YMEzrF 1nUUv42 Signature 
DOQEOyqj6/0VmdIrGjiAxgKPw9cfGAdxM9S3FoxiLJYhBdqZhcTONhfb04zbod5s 
aZn/aK+OZmd8vqVvyD0 7ufwml 6ttq8MeKiHtwm09tY7Zyp9bwew9 2VneAIPEFLOS 
oGBc 431KX1SXYqEQB11IBOwUmIMBOuDXm6 vSRpOmYhPk f£YPDjf1Sj69f0Wg85k5Ez 
Ntz1Bz01dDNwLt Zxrk3ETdq01vLsZYhVNYXHGFO0oJzObiuiPZiyPFvp4RUT9dc6L 
gmijwab0u8E= 
=/y0r 


Figure 3: An example GPG “clearsigned” file. 
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GPG Authentication 


¢« Bob uses the cURL client on deridO to retrieve each of the 
three GPG clearsigned text files on dcrid1 twenty times. 


= elms euell 
http://dcrldl.cs.ulm.edu/text#KB.txt.dcrldl.asc > 


EMP) Cex Ph Bee xem acialicilaaste 


* Bob GPG verifies the authenticity of each GPG clearsigned 


text file retrieved. 
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GPG Authentication 


Bob records transmission times in a Microsoft Excel 


spreadsheet. 


Bob computes the average transmission time for each GPG 


clearsigned text file. 
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SSL/TLS Authentication 
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SSL/TLS Authentication 


¢ Alice installs and configures a secure Apache web server on 
derld1. 


— The standard and secure Apache web servers use the same home 


directory. 


¢ Inasecure manner, Alice provides Bob with a copy of her 


secure Apache web server's self signed SSL/TLS certificate. 
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SSL/TLS Authentication 


* Bob configures dcrldO to recognize dcrid1’s self signed 
SSL/TLS certificate as authentic. 


¢ Bob uses the cURL client on dcridO to retrieve each of the 
three text files on derid1 twenty times. 


— time curl --ciphers rsa_null_md5 
https: //dcrldl.dcrl.ulm.edu/text#KB.txt > 


/tmp/text#KB.txt 
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SSL/TLS Authentication 


¢ Bob records transmission times in a Microsoft Excel 


spreadsheet. 


* Bob computes the average transmission time for each text 


file. 
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IPsec Authentication 
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IPsec Authentication 


Alice creates an IP layer “Host to Host” encrypted 
communication channel between dcrld1 and dcrldO using 


the system-—config-network Linux command on derld1. 


Alice edits the file /etc/raccoon/raccoon.conf and 


adds support for RSA authentication and NULL encryption. 
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IPsec Authentication 


Bob creates an IP layer “Host to Host” encrypted 
communication channel between dcrld0 and dcrld1 using 


the system-—config-—network Linux command on derldo. 


Bob edits the file /etc/raccoon/raccoon.conf and 


adds support for RSA authentication and NULL encryption. 
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IPsec Authentication 


* Bob uses the cURL client on dcridO to retrieve each of the 
three text files on derld1 twenty times. 


— time curl http://dcrldl.cs.ulm.edu/text#KB.txt > 


/tmp/text#KB.txt 


September 24, 2010 2010 TAPR/ARRL Digital Communication Conference Slide 39 of 50 


wLm Digital Communication Research Laboratory 


IPsec Authentication 


¢ Bob records transmission times in a Microsoft Excel 


spreadsheet. 


* Bob computes the average transmission time for each text 


file. 
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Transmission Time in Seconds 


Figure 4: GPG, SSL/TLS, IPsec, and No (i.e. “None”) Authentication Data Transmission Time. 
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Percentage 


Figure 5: GPG, SSL/TLS, and IPsec Authentication Data Transmission Time as a Percentage of 
No (i.e. “None”) Authentication Data Transmission Time. 
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Conclusions 


September 24, 2010 2010 TAPR/ARRL Digital Communication Conference Slide 44 of 50 


22 


wLm, Digital Communication Research Laboratory 


Conclusions 


With regards to the three authentication methods we 


evaluated, GPG performs the best. 


The paper lists the steps required to install and configure 


each of the authentication methods. 
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Future Research? 
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Future Research? 


¢ | recommend that the ARRL consider offering the following 
services to the amateur radio community. 
— Actas a “clearing house” for GPG public keys. 


— Actas aSSL/TLS certificate authority (CA). 
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Questions? 
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